Working on a project that involves a Firebase-utilizing JavaScript web app that reaches out to a PHP file carrying protected functionality.
In order to do this I get a (JWT) token by calling:
firebase.auth().currentUser.getToken(true)
The full function being:
firebase.auth().currentUser.getToken(true).then(function(idToken) {
var uid = firebase.auth().currentUser.uid;
var http = new XMLHttpRequest();
var url = "http://localhost/jwt.php";
var params = "token=" + idToken + "&uid=" + uid;
http.open("POST", url, true);
//Send the proper header information along with the request
http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http.onreadystatechange = function() {//Call a function when the state changes.
if(http.readyState == 4 && http.status == 200) {
alert(http.responseText);
}
}
http.send(params);
console.log("TOKEN: " + idToken);
}).catch(function(error) {
// Handle error
});
On the PHP side I'm validating the token using the lcobucci/jwt library.
use Lcobucci\JWT\Parser;
use Lcobucci\JWT\ValidationData;
use Lcobucci\JWT\Signer\Keychain;
use Lcobucci\JWT\Signer\Rsa\Sha256;
$data = new ValidationData();
$data->setIssuer('https://securetoken.google.com/<Project ID>');
$signer = new Sha256();
$keychain = new Keychain();
if($_POST["token"]) {
$token = (new Parser())->parse((string) $_POST["token"]);
$token->getHeaders(); // Retrieves the token header
$token->getClaims(); // Retrieves the token claims
$kid = $token->getHeader('kid');
$iat = $token->getClaim('iat');
//Grab Google keys
$json_url = file_get_contents('https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com');
$json = json_decode($json_url, true);
$public_key = $json[$kid]; // Matches kid from header to private key provided by Google
try {
$isTokenValid = $token->verify($signer, $public_key); // Verify token
} catch (Exception $e) {
$isTokenValid = false;
}
if($isTokenValid) {
echo "Valid"; // Add protected functionality here
} else {
echo "Invalid";
}
}
My question is: is this secure?
